Enterasys-networks 9034385 Manuel d'utilisateur télécharger pdf (Page 30)

Model 3: End-System Authorization with Assessment

2-8 NAC Deployment Models

ARADIUSserverisonlyrequiredifout‐of‐bandnetworkaccesscontrolusingtheNACGateway,

orinlinenetworkaccesscontrolusingtheLayer2NACController,isimplementedwithweb‐

basedand/or802.1Xauthenticati on.

NetSightPolicyManagerisrequiredforallinlineNACdeployments,andrecommendedforout‐

‐bandNACdeploymentsthatutilizeEnterasyspolicy‐capableswitches.PolicyManager

providestheabilitytocentrallydefineandconfiguretheauthorizationlevelsorpolicies.

NetSightInventoryManagerisanoptionalcomponent,providingcomprehensivenetwork

inventoryandchangemanagementcapabilities.

Model 3: End-System Authorization with Assessment

ThisNACdeploymentmodelimplementsthedetection,authentication,assessmentand

authorizationNACfunctionalitiesforconnectingend‐systems.InModel2,end‐systemsandend

usersconnectedtothenetworkareauthorizedbasedonthedeviceidentity,useridentity,and/or

locationinformation.Model3extendstheauthorizationdecisioninNACtoone

additional

dimension—thesecuritypostureoftheend‐systemasdeterminedfromanassessment.The

assessmentcanbeexecutedthroughagent‐basedoragent‐lesstechniquesandcanidentify

differentpiecesofinformationaboutthedevice,suchanantivirussoftwareconfiguration,

operatingsystempatchesinstalled,softwareapplicationsinstalledand

running,processes

running,servicesconfigured,andregistryvaluesset.

ItisimportanttonotethatitisnotnecessarytoconfiguretheEnterasysNACsolutionto

quarantineend‐systemsthatfailassessment.Infact,duringtheinitialrolloutofNAConthe

enterprisenetwork,itishighlyrecommendedthatend‐systems

arenotrestrictedaccesstothe

networkinanywaybefore,during,orafterfailedassessment.ThispassiveNACconfiguration

allowstheITadministratortobaselinetheconfigurationofdevicesonthenetworkand

understandthecurrentlandscapeofitsassetswithoutimpactingnetworkconnectivityfor

connectingend‐systems.Inthis

configuration,itisnotnecessarytoinformtheendusersthatthey

arebeingassessedorhavefailedassessmentbecausethereislittle‐to‐noimpactonnetwork

connectivityduringthisassessment.End‐systemscanbescannedinthebackgroundproviding 

thenetworkadministratorwithimportantvisibilityintohowdevices

areconfiguredontheir

network,whileenduserscanutilizethenetworkasdesired.Then,whenthenetwork

administratorisready,theEnterasysNACsolutioncanbeconfiguredwiththeclickofabuttonto

immediatelyrestrictaccessforend‐systemsthathavefailedassessment.

Implementation

InModel3,end‐systemscanbedetectedandtracked,authenticated,assessed,andauthorizedin

differentwaysdependingonwhetherinlineorout‐of‐bandnetworkaccesscontrolis

implementedintheEnterasysNACsolution.

Out-of-Band NAC

Forout‐of‐bandEnterasysNACdeploymentsutilizingtheNACGateway,NACfunctionsare

implementedinthefollowingway:

Detection‐AsdescribedinModel2.

Authentication‐AsdescribedinModel2.

Assessment‐TheNACGatewaycanleverageeitherlocalassessmentservicesand/orremote

assessmentservicesdeployedonthenetwork.TheNACGatewayʹ

slocalassessmentservices

includeagent‐lessassessmentwhichcanexecutevariousserver‐sidechecks(whetheranFTP

1 2 ... 25 26 27 28 29 30 31 32 33 34 35 ... 97 98

Commentaires sur ces manuels

Pas de commentaire

Enterasys-networks 9034385 Manuel d'utilisateur Page 30

Commentaires sur ces manuels

Produits connexes et manuels pour Outils Enterasys-networks 9034385